Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

checksecurity(8) [linux man page]

CHECKSECURITY(8)					      System Manager's Manual						  CHECKSECURITY(8)

NAME
checksecurity - Run a collection of simple system checks SYNOPSIS
checksecurity DESCRIPTION
The checksecurity command runs a small collection of simple system checks which are designed to catch a few common security issues. check- security is run by cron in a daily basis. CONFIGURATION
The checksecurity.conf file defines several configuration variables: MAILTO, CHECK_DISKFREE, CHECK_PASSWD and CHECK_SETUID LOGDIR. Each is described below. The checksecurity program works with a collection of plugins which are located in /usr/share/checksecurity and are configured individually by their own configuration file. CHECK_PASSWD If this is set to TRUE then the check-passwd script will be invoked. This script is designed to report upon system accounts which have no passwords. CHECK_DISKFREE If this is set to TRUE then the check-diskfree script will be invoked and will allow an alert to be sent if there is any mounted partition is running short on disk space. CHECK_SETUID If this is set to TRUE then the check-setuid script will be invoked, this will compare the setuid binaries upon the system to those that existed previously and show the differences. FILES
/etc/checksecurity.conf checksecurity configuration file SEE-ALSO See also check-diskfree(8), check-setuid(8), and check-passwd(8) Debian Linux 2 February 1997 CHECKSECURITY(8)

Check Out this Related Man Page

CHECKSECURITY(8)					      System Manager's Manual						  CHECKSECURITY(8)

NAME
checksecurity - check for changes to setuid programs SYNOPSIS
checksecurity DESCRIPTION
The checksecurity command scans the mounted files systems (subject to the filter defined in /etc/checksecurity.conf) and compares the list of setuid programs to the list created on the previous run. Any changes are printed to standard output. Also, it generates a list of nfs and afs filesystems that are mounted insecurely (i.e. they are missing the nodev and either the noexec or nosuid flags). checksecurity is run by cron on a daily basis, and the output stored in /var/log/setuid/setuid.changes. CONFIGURATION
The checksecurity.conf file defines several configuration variables: CHECKSECURITY_FILTER, CHECKSECURITY_NOFINDERRORS, CHECKSECURITY_NONF- SAFS, CHECKSECURITY_EMAIL, CHECKSECURITY_DEVICEFILTER, CHECKSECURITY_PATHFILTER, and LOGDIR. Each is described below. The CHECKSECURITY_FILTER environment variable which is the argument of 'grep -vE' applied to the output of the mount command. In other words, the value of CHECKSECURITY_FILTER is a regular expression that removes matching lines from those file systems that will be scanned. The default value removes all file systems of type proc, bind, msdos, iso9660, ncpfs, nfs, afs, smbfs, auto, ntfs, coda file systems, any- thing mounted on /dev/fd*, anything mounted on /mnt or /amd, and anything mounted with option nosuid or noexec. The checksecurity.conf file is sourced from checksecurity, so you could do some fairly tricky things to define CHECKSECURITY_FILTER. The CHECKSECURITY_NOFINDERRORS environment variable, if set to the literal "TRUE", disables find errors from checksecurity (actually, it re-routes them to /dev/null ). The CHECKSECURITY_NONFSAFS environment variable, if set to the literal "TRUE", disables the message about nfs and afs file systems that are mounted without the nodev and either the noexec or nosuid options. If set, the CHECKSECURITY_EMAIL variable defines who is sent a copy of the setuid.changes file. The CHECKSECURITY_DEVICEFILTER variable specifies a find clause for which matching block and character device files will not be monitored for changing owners and permissions. For example, if you don't want to check for permission changes on tty device files beneath /dev, you could set the following: CHECKSECURITY_DEVICEFILTER='-path /dev/tty*' Note that any added or modified suid programs under that path would still be detected. If you want to specify multiple expressions, sepa- rate them with '-o', but there is no need to surround the whole clause with parentheses. To disable this filter, specify it as '-false' (which is the default). Note that if the system gets restarted often checksecurity will report a lot of changes in the /dev/ subdirectory due to timestamp changes. In this case you might want to change it to: CHECKSECURITY_DEVICEFILTER='-path /dev/' The CHECKSECURITY_PATHFILTER variable specifies a find clause which will be pruned from the search path. This means that the entire sub- tree will be completely skipped. Thus, specifying CHECKSECURITY_PATHFILTER='-path /var/ftp' then the entire /var/ftp tree will be skipped. To disable this filter, specify it as '-false' (which is the default). LOGDIR sets the name of the directory which stores the files which track the permission and ownership changes. By default, they are in /var/log/setuid. FILES
/etc/checksecurity.conf checksecurity configuration file /var/log/setuid/setuid.today setuid files from the most recent run /var/log/setuid/setuid.yesterday setuid files from the previous run Debian Linux 2 February 1997 CHECKSECURITY(8)
Man Page